To give you a great browsing experience free of charge, this site uses cookies. Cookies help us personalize content and ads, provide social media features,
track your preferences, and analyze traffic. Forbes may share this information with its advertising, analytics, and social media partners, who may use it
with information you have provided to them in connection with their services.

Major U.S. Refineries At Risk Of Cyberattacks As Many Continue To Use Windows XP

The end of life of Microsoft’s Windows 7 operating software is almost upon us, with the company saying its updates and patches for the widely used interface will cease after January 14, 2020. In such circumstances, most people would assume that critical plant control system operators must be in a mad scramble to upgrade to the latest version.

Yet astonishingly, key U.S. oil and gas infrastructure facilities continue to use plant control systems underpinned by Windows XP, an even earlier legacy operating software that Microsoft stopped providing patches and upgrades for back in 2014.

Your correspondent found 10 facilities, of varying throughput scale, in three U.S. Gulf Coast states including Texas still operating their plant control systems underpinned by outdated Microsoft operating software. Confidentiality and security clauses of site visits prevent mentioning the facilities directly, but the issue is a serious and widespread concern stateside, according to feedback from plant automation solutions providers such as General Electric Automation and Controls, Emerson and Honeywell.

Many U.S. refineries continue to use legacy software putting themselves at risk of cyberattacks (Photo: Emmanuel Dunand/AFP/Getty Images)

Aggregation of U.S. industry data suggests around a fourth of oil and gas downstream customers of the world’s big five plant automation vendors stateside are still on Windows XP, despite the recent WannaCry virus ransomware attack, and other high-profile cyber intrusions, that exposed the vulnerability of legacy software in recent years.

But what might shock the outside world hardly comes as a surprise to industry insiders. Brendan Sheehan, Senior Director of Marketing at Honeywell Process Solution, the multinational company’s automation division, says upgrading dilemmas for conservative industries such as petrochemicals and refining are not new and go back almost 40 years.

“That’s when plant control systems started gradually migrating from proprietary software the vendors conjured up to largely MS Windows-underpinned operating software on account of cost savings. For the most part, refining and petrochemical plant operators will buy a control system from us and expect it to run 25 to 30 years, and they will often ask us to guarantee supporting it for that period as we do.

“Before the turn of the 1990s, when we had proprietary software, such systems were secure and bespoke but admittedly quite expensive. Then MS Windows platforms started bringing volume, scalability and lower costs, which are visible to this day. We initially thought should we go for Linux, which was more secure and attuned to industrial usage, and more robust than Windows NT at the time. But it wasn’t all that familiar to customers and users, so Windows won.”

As the refining complex, and much of manufacturing for that matter, has moved into the MS Windows world, plant operators now find themselves on a platform that progresses much more quickly than they would like.

The industry has to accept upgrades more often, and vendors, whose plant control systems use MS Windows, have little choice but to acquiesce with each upgrade, and press their customers to do likewise. But that’s all they can do.

“We are telling customers you have to move; we cannot support you if you are on Windows XP. But you can’t force them to move. That’s why you have episodes of cybersecurity breaches, most of which don’t reach the public domain. By some measures, Honeywell counts 30,000 intrusions or attempts at intrusions a day. An outdated system makes protecting customers really hard, though not impossible,” Sheehan says.

Gavin Mead, Principal in KPMG’s Cybersecurity Services, also deems the findings to be unsurprising, as upgrading a plant control system in a conservative industry is not as simple as installing and rebooting your laptop or desktop. It carries major cost and downtime implications for the refinery or petrochemical plant in question.

“Unlike in the [administrative or back-office] IT environment, in many cases the plant IT hardware used in an industrial setting is tightly coupled with the physical equipment it manages or monitors. Upgrading the IT components could require replacement of the entire module (i.e., IT equipment plus the physical components), or even of the whole line, depending on the control system architecture.

“Furthermore, a number of these legacy IT systems are supporting ‘disconnected assets,’ meaning physical devices that do not communicate over a network – for example, very expensive mass spectrometers.”

Forget upgrading from Windows 7, some U.S. refining and petrochemical facilities are still stuck on Windows XP (Photo: Angel Navarrete/Bloomberg)

All of it creates massive challenges for operators, even if the willingness to upgrade is not lacking. While not belittling the concerns over cyber attacks on plant control systems, Mead reckons their segregation from conventional IT for plant operations does offer some modicum of safety.

“These systems may have un-fixable vulnerabilities in many cases [that vendors can't help with and Microsoft won't provide upgrades for any longer], but unlike in the conventional IT environment where everything is highly connected and users are interacting with unknown Internet services on a regular basis, the industrial environment should be much more segregated, static and controlled, enabling a greater tolerance for aged IT systems.”

Be that as it may, another issue Sheehan flags is that often bespoke apps written for specific customers raise further complexities. Being “bespoke,” they are often designed solely for the operating system they are written on. This can cause issues when the plant eventually tries to upgrade the operating software, as the apps may need changes too. All of this, including the installation of headline patches, requires careful planning.

“In fact, incorporating patching is another challenge altogether. We write patched software for customers and make it available as deemed necessary. But normally you want to be in a controlled environment when you are running those patches, and not on a running plant, and certainly not in the middle of something critical.

“And the issuance of patches has become more frequent. You have to remain constantly attuned to updates and patches. So the Human Machine Interface (HMI) had to be made separate from the control system, to enable upgrades without having to upgrade the underlying control system – and that’s how in the end we handle some of the processes and challenges. But admittedly, for the HMI you really are at the mercy of Microsoft.”

Meanwhile, even though the usage of Windows XP is far from over despite repeated warnings for the industry, Honeywell, Yokogawa Electric, GE, ABB and Emerson have all acknowledged they are well in the process of alerting their end customers, both within and beyond the oil and gas sector, about preparing for the end of life of Windows 7.

That is a pretty onerous exercise in itself, as global research firm Gartner reckons Windows 7 is among Microsoft’s most popular Windows operating software, well above the usage penetration of even Windows XP. All the vendors can do is alert end customers, but whether the plant controllers pay heed is another matter.

There is no disputing that a breach of a plant control system could have devastating consequences. In the refining and petrochemical landscape, obvious reputational damage, downtime and financial costs aside, risks could extend to environmental damage, loss of life, fail-safe shutdowns and system destruction. At some point, those on outdated systems ought to ask themselves: Is it really worth the risk? Ignoring it could have devastating consequences.

The author is an oil & gas analyst and market commentator. Follow him on Twitter @The_Oilholic

I am a UK-based oil & gas sector analyst and business news editor/writer with over 20 years of experience in the financial and trade press. I have worked on all major…Read More

I am a UK-based oil & gas sector analyst and business news editor/writer with over 20 years of experience in the financial and trade press. I have worked on all major media platforms – print, newswire, web and broadcast. At various points in my career, I have been an OPEC, Bank of England and UK Office for National Statistics correspondent. Over the years, I have provided wide-ranging oil & gas sector commentary, including pricing, supply scenarios, E&P infrastructure, corporations' financials and exploration data. I am a lively commentator on 'crude' matters for publications and broadcasting outlets including CNBC Europe, BBC Radio, Asian and Middle Eastern networks, via my own website, Forbes and various other publications. My oil market commentary has a partial supply-side bias based on a belief that the risk premium is often given gratuitous, somewhat convenient, prominence by cheeky souls who handle quite a few paper barrels but have probably never been to a tanker terminal or the receiving end of a pipeline. Yet having done both, I pragmatically accept paper barrels [or should we say ‘e-barrels’] are not going anywhere, anytime soon!Read Less